Basic honeypot setup with Snort

[J Doe <general () nativemethods com>]

Hi,

I currently have a host that I would like to turn into a honeypot.  As a basic, first step, I'd like to capture the 
initial packet of a SMB request (port 445).

As it stands right now, my firewall blocks that port and the honeypot is neither Windows or *nix with samba running.  I 
am aware that I need to open port 445 so the three way handshake can take place and then the attacking machine will 
send the first SMB packet  which can then be analyzed by Snort, but I'm wondering what software I can run to simply 
allow the first packet to be received.

I don't want to run samba as I don't actually want to receive random files and I don't currently have the time to code 
a listening service that leverages the samba library.  What do other security practitioners do to make the port 
available for an initial packet ?  Is it customary to run something like netcat on that port ?  If so, can anyone 
recommend best practices for hardening the configuration of that software (ie: run netcat in a Docker container, etc.).

For reference, the honeypot will use Ubuntu 16.04 LTS, firewall via iptables and Snort version 2.9.9.0.

Thanks for your help,

- J


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!